Read more!

The available evidence indicates the use of electronic surveillance
practices that go beyond traditional, targeted surveillance for
intelligence purposes in five EU countries: the UK, Sweden, France,
Germany and the Netherlands. Each
member state is examined with the following criteria in mind: the basic
technical features
of large-scale surveillance programmes; stated purpose of programmes,
targets and
types of data collected; actors involved in collection and use,
including evidence of
cooperation with the private sector; cooperation or exchange of data
with foreign
intelligence services, including the NSA; and the legal framework and
oversight
governing the execution of the programme(s).

Sweden

According to revelations by investigative journalists and experts consulted for the
purpose of this study, Sweden is becoming an increasingly important partner of the
global intelligence network. Signals intelligence operations in Sweden are the
responsibility of the National Defence Radio Establishment (FRA). In recent years, reports
have emerged alleging that FRA has engaged in operations and programmes for the
mass collection of data, with features that resemble in part those pursued by the US NSA
and the UK’s GCHQ.

Programme(s) for large-scale surveillance

Swedish intelligence services have a longstanding history of intercepting signals
intelligence, [1] however the past five years have seen allegations emerge stating that the
FRA has been engaged in accessing data traffic crossing its borders from fibre-optic
internet cables. In 2008 the TV broadcaster SVT reported that FRA was
collecting/receiving data from Russia and the Baltic states and forwarding them in bulk to
the US. These allegations were recently re-stated during Duncan Campbell’s testimony
to the European Parliament Inquiry on Electronic Mass Surveillance of EU Citizens of 5
September 2013, where he alleged that while the Försvarets radioanstalt has been
running satellite interception facilities for many years, Sweden’s new internet laws
passed in 2009 (FRA law) authorised the agency to monitor all cable-bound
communications traffic into and out of Sweden, including emails, text messages and
telephone calls. FRA is now alleged to engage in intercepting and storing communications
data from fibre-optic cables crossing Swedish borders from the Baltic sea.

The evidence indicates that FRA has been running operations for the ‘upstream’ collection
of private data – collecting both the content of messages as well as metadata of
communications crossing Swedish borders. The metadata are retained in bulk and stored
in a database known as ‘Titan’ for a period of 18 months. It is understood that interception of these fibre-optic cables involves a legal obligation on
communications service providers to transfer all cable communications crossing Swedish
borders to specific ‘interaction points’, where the communications service providers
surrender the data to the state. [2]

How the FRA processes communication and informations. Source: Klamberg (2010)Concerning the profile of individuals targeted by the FRA's mass data interception programme, the initial targets again appear to be indiscriminate. As in the UK. the bulk retention of data is, under the Swedish legal regime, only meant to cover commuications entering or exiting Swedish borders and not internal communications. However, internal communications that have been routed through nodes based outside Swedish territory are likely to also be classified as 'foreign' communications and retained for analysis. The Swedish legislative framework regulating the collectionof signals intelligence provides that if there is uncertainty whether data are foreign or domestic, the data may be collected and retained.

Final (processed) intelligence, described as 'reports to clients' is discriminate and does not include citizens in general. The legislation differentiates between 'defence intelligenceoperations' and 'auxiliary operations'. Defence intelligence operations concern a relatively small fraction of the communications that are deemed to directly relate to external military threats, international terrorism and similar phenonmena. The content of such communictaions associated with such threats is selected and reserved for detailed analysis. By contrast the 'auxiliary operations', which make up the lion's share of communications intercepted, is analysed as metadata, not content, and are not intended for generating intelligence reports to FRA's clients.

However, academic experts argue that the division between these modes of processing these two kinds of data is not clear-cut. Dr.Klamberg states that this division:

...creates the impression that a wall has been erected where the large amounts of traffic
data [metadata] collected through the auxiliary operations is used purely for some abstract
technical matters and not for intelligence purposes. This is a misconception.

This misconception is due to the fact that the preparatory works for the Swedish law on
signals intelligence state that since the auxiliary operations “aim to facilitate the defence
intelligence operations it would not be incompatible with the purpose for which the data
is collected that the data is also used to some extent in the defence intelligence
operations.”

Second, the preparatory works explain that reports to clients may involve extensive
descriptions of meta-data patterns and therefore, despite being intended for auxiliary
operations, may also be used for defence intelligence purposes.

While there is no explicit statement as to which national entities receive the data or
resulting intelligence drawn from this programme, according to the Swedish legislative
framework, data collected by the FRA may be shared with the following ‘customers’.

Cooperation with foreign intelligence services

There is evidence that FRA may be sharing substantial quantities of the data it collects
with foreign intelligence services, including NSA. Swedish legislation allows for the bulk
transfer of data to other states if authorised by the Government. Reports from media,
experts as well as government statements indicate that Swedish authorities have made
use of this possibility through exchanges of large amounts of raw data with the US as
well as the Baltic states.

Duncan Campbell, during his testimony to the European Parliament hearing on 5
September 2013, stated that Sweden’s FRA has become a new and important partner of
‘Five Eyes’, by providing major satellite and undersea-cable interception arrangements,
stating that FRA “is deemed, according to the documents, to be the biggest collaborating
partner of GCHQ outside the English-speaking countries”. Code-named ‘Sardine’, he
highlighted that Sweden makes an important contribution to the Five Eyes organisation, having access to cables that were hitherto inaccessible (those from the Baltic states and
Russia).

In a statement following the revelations by Campbell, Defence Minister Karin Enstrom
said Sweden’s intelligence exchange with other countries is “critical for our security” and
that “intelligence operations occur within a framework with clear legislation, strict
controls and under parliamentary oversight.” Likewise a FRA spokesperson has
acknowledged that FRA shares data with other countries, but declined to specify which
countries or to provide further details of the types of data shared. Similarly, there is no
indication of whether Sweden has been the recipient of data from other states, including
data from the NSA’s PRISM and other mass-surveillance programmes.

Legal framework and oversight

The legal authorisation for Sweden signals intelligence-gathering operations are issued
by an intelligence court (Underrättelsedomstolen - UNDOM). However, according to the
legislative framework governing the issuing of warrants – namely Act 2008:717 on
signals intelligence within defence intelligence operations, Act 2009:966 on the
Intelligence Court, and Decree 2009:968 with instructions for the Intelligence court –
warrants can be sweeping and are not limited to a specific individual.[3]

The surveillance activities of the FRA are monitored by a national oversight body, the
Inspection for Defence Intelligence Operations (Statens inspektion för
försvarsunderrättelseverksamheten – SIUN) which is composed of representatives from
the Government and Opposition parties.

However, academic experts have critiqued the weak system of checks and balances when
it comes to Swedish collection of signals intelligence. With regard to the UNDOM and the
SIUN, Dr. Mark Klamberg contends:

All of these institutions are under very tight control of the Government, an entity that
can issue requests for signals intelligence operations. The intelligence court has one
chief judge, one or two deputy chief judges. The judges are appointed by the
Government. One of the three nominees for the next chief judge is currently the chief
legal advisor at the Ministry of Defence. The current head of the signals intelligence
agency was previously the chief legal advisor at the Ministry of Defence when the
legislation was drafted. The members of SIUN do represent different political parties
but are appointed by the Government and report to the Government. Most of the
members of SIUN are former parliamentarians, which weakens the parliamentary
oversight in comparison to a system where the responsibility for oversight is
conducted by a committee of parliament, i.e. parliamentarians in office. All in all, the Swedish system of checks and balances is weak when it comes to signals intelligence.

The information gathered on the large-scale surveillance practices of Sweden is based primarily on the
expert input of Dr . Mark Klamberg, Uppsala University as well as press articles, and official
documentation.

[1] Swedish Government Official Reports record that Swedish law enforcement agencies began working with
signals intelligence as early as 1939.

[2] M. Klamberg, (2010), ‘FRA and the European Convention on Human Rights’, Nordic Yearbook of Law
and Information Technology, Bergen 2010, pp. 96-134.

[3] For further information on the Swedish legal
framework covering communications surveillance, see Klamberg, (2010)

Read more from our 'Joining the dots on state surveillance' series here.

Related

This article is published under a Creative Commons
Attribution-NonCommercial 4.0 International licence. If you have any
queries about republishing please
contact us.
Please check individual images for licensing details.